Bug 2081227 (CVE-2022-26491)

Summary: CVE-2022-26491 pidgin: MITM attack possible on non-DNSSEC XMPP connections
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: debarshir, jskarvad, stu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pidgin 2.14.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Pidgin. This issue allows the performance of a man-in-the-middle attack (MITM) against a client via DNS spoofing if the XMPP connections are not using the Domain Name System Security Extensions (DNSSEC).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-28 14:02:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2081228, 2082665    
Bug Blocks: 2081229    

Description Marian Rehak 2022-05-03 06:39:20 UTC 
It was discovered that in pidgin before 2.14.9 if not using DNSSEC it is trivial to perform a man in the middle attack a client via DNS spoofing.

Reference:

https://pidgin.im/about/security/advisories/cve-2022-26491/
Comment 1 Marian Rehak 2022-05-03 06:39:35 UTC 
Created pidgin tracking bugs for this issue:

Affects: fedora-all [bug 2081228]